university system of georgia enterprise risk management (erm)

“Creating A More Educated Georgia”

University System of Georgia�Enterprise Risk Management (ERM)

“Creating A More Educated Georgia”

Agenda

•  What is ERM? •  How are we implementing ERM? •  The Way Ahead

2

“Creating A More Educated Georgia”

What is ERM? (1/5)

ERM is a process-driven tool that enables senior management to visualize, assess, and manage significant risks that may adversely impact the attainment of key organizational objectives. – USG Definition

3

“Creating A More Educated Georgia”

What is ERM? (2/5)

•  ERM is: – A logical, disciplined approach to “seeing” and

categorizing risk – Time intensive at launch – A tool to positively change culture – Focused on accountability

4

“Creating A More Educated Georgia”

What is ERM? (3/5)

• ERM is not:– Solely a function of business affairs or

traditional risk management functions– Bureaucratic– Independent from strategic planning; rather, it

is core to achieving strategic objectives

5

“Creating A More Educated Georgia”

•  Risks are categorized as follows: – Strategic – Compliance – Reputational – Financial – Operational

What is ERM? (4/5)

6

“Creating A More Educated Georgia”

What is ERM? (5/5)

7

“Creating A More Educated Georgia”

How does ERM “work?” (1/4)�Step 1 – Establish ERM Framework

8

A.  Identify Project Champion – Executive-level official (Chancellor, President, Chief X Officer) who will provide support and direction to process.

B.  Identify Project Owner - Senior-level official who will provide ongoing management and oversight to ERM implementation.

C.  Establish Steering Committee – Executive/senior-level officials representing key organizational areas.

• Working Groups will be established on an ad hoc basis to brainstormand assess key risks.

“Creating A More Educated Georgia”

How does ERM “work?” (2/4)�Step 2 – Identify Key Obj.

A.  List key objectives – Steering Committee identifies institutional and USG strategic objectives.

B.  Prioritize objectives – Steering Committee uses ranking or other system to select top objectives (should not exceed 3-5 objectives per division head).

C.  Select objectives for assessment – Steering Committee selects 4-6 top objectives for initial risk assessment by the Steering Committee. (Note: Steering Committee will select next 4-6 top objectives for risk assessment on an ongoing basis until all key objectives have undergone risk assessment.)

“Creating A More Educated Georgia”

How does ERM “work?” (3/4)�Step 3 – Identify Key Risks

A.  Brainstorm and assess risks – Steering Committee conducts initial risk assessment through calculation of impact and likelihood without consideration of current controls or mitigation plans.

1. Steering Committee must understand the key components/processassociated with selected objectives.

2. Objectives may be assigned to a Project Owner/Responsible Individual foranalysis and presentation to the Steering Committee to assist with the riskdevelopment process.

B.  Assign risks rated 4 or higher to a specific Risk Owner.

“Creating A More Educated Georgia”

How does ERM “work?” (4/4)�Step 4 – Manage Risks

A.  Identify current controls and mitigation requirements – Risk owners identify the current controls, mitigation steps, or other actions already taken by the institution to reduce risk. The risk is assessed again to determine likelihood and impact.

B.  Develop mitigation plan for key risks – Risk owners develop mitigation plans for risks still ranked 4 or higher.

C.  Conduct quarterly meetings to review status – Steering Committee holds quarterly meetings to approve and to review the status of risk owner mitigation plans. Risk scores may be adjusted by the Steering Committee to reflect the risk after implementation of the mitigation plan.

D.  Continue process – Steering Committee incorporates new risks into the ERM process (steps 2-4) as current risks are mitigated

“Creating A More Educated Georgia”

Saving the Best for Last

•  Key Points to Remember –  Risk, in one form or another, is present in virtually all

worthwhile endeavors. –  ERM is a management tool – this process can and

should be changed to work for YOUR organization. –  ERM ultimately should change the organizational

culture – however, change is slow, painful, and time-consuming. Frustration and confusion are simply part of the process – the long-term result is worth it.

“Creating A More Educated Georgia”

The Way Ahead�

• Conducting Risk Assessment Workshops–

• Refining ERM model:– Collaborative effort– Scalable– Risk visibility

• Identifying solutions– Facilitate sharing of

ERM risks andmanagement solutionsamong institutions

– Identify and manage“system” risks

USO will support ERM implementation by:

13

“Creating A More Educated Georgia”

Thank You

14